Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

What is ITAR Compliance? Definition and Regulations

4 min read
Last updated Jun 23, 2022


    The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

    In this article, we'll cover: 

    Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data”.

    Get the Free Essential Guide to US Data Protection Compliance and Regulations

    ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only. How can a company ensure that only US citizens have and then access that data on a network and are ITAR compliant? Limiting access to the physical materials is straightforward; limiting access to digital data is more complicated.

    Who Needs To Follow ITAR Compliance?

    who needs to be ITAR compliant?

    Any company that handles, manufactures, designs, sells, or distributes items on the USML must be ITAR compliant. The State Department’s Directorate of Defense Trade Controls (DDTC) manages the list of companies who can deal in USML goods and services, and it is up to each company to establish policies to comply with ITAR regulations.

    • Wholesalers
    • Distributors
    • Computer Software/ Hardware vendors
    • Third-party suppliers
    • Contractors

    Every company in the supply chain needs to be ITAR compliant. If company A sells a part to company B and then company B sells the same part to a foreign power, company A is also in violation of ITAR.

    ITAR Regulations

    ITAR regulations are simple: only U.S. citizens can access items on the USML list.

    ITAR’s rules can present a challenge for many US companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired, unless they gain State Dept. authorization. The same principle applies when US companies work with non-US subcontractors.

    The State Department can issue exemptions to that one rule, and there are existing exemptions established for specific purposes. There are certain countries that currently have standing agreements with the U.S. that apply to ITAR – Australia, Canada, and the U.K., for example.

    The US government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. With technical data, it’s also a good idea to tag each page with an ITAR notice or marker so employees don’t accidentally share controlled information with unauthorized users.

    ITAR exists to track military and defense sensitive material and to keep that material out of the hands of U.S. enemies. Noncompliance can result in heavy fines along with significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.

    Penalties for ITAR Compliance Violations

    Penalties for ITAR Compliance Violations
    The penalties for ITAR infractions are stiff:

    • Civil fines up to $500,000 per violation
    • Criminal fines of up to $1 million and/or 10 years imprisonment per violation

    In April of 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Part of the penalty requires that FLIR implement better compliance measures and hire an outside official to oversee their agreement with the State Department.

    In 2007 ITT took at $100 million fine to the face for exporting night-vision technology illegally. ITT thought they could workaround the restrictions, the Government didn’t agree with their interpretation of the rules.

    Types of Defense Articles

    There are 21 categories of Defense Articles in the USML. A defense article is anything on this long and oddly specific list.

      1. Firearms, Close Assault Weapons and Combat Shotguns
      2. Guns and Armament
      3. Ammunition/Ordnance
      4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
      5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
      6. Surface Vessels of War and Special Naval Equipment
      7. Ground Vehicles
      8. Aircraft and Related Articles
      9. Military Training Equipment and Training
      10. Personal Protective Equipment
      11. Military Electronics
      12. Fire Control, Laser, Imaging and Guidance Equipment
      13. Materials and Miscellaneous Articles
      14. Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment
      15. Spacecraft and Related Articles
      16. Nuclear Weapons Related Articles
      17. Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
      18. Directed Energy Weapons
      19. Gas Turbine Engines and Associated Equipment
      20. Submersible Vessels and Related Articles
      21. Articles, Technical Data and Defense Services Not Otherwise Enumerated

    How to Secure Your ITAR Data

    Given the penalties associated with ITAR, it makes sense to protect the digital data with as many layers of security as possible. Because ITAR is a U.S. Federal regulation, their own guidance for data security is a great place to start. NIST SP 800-53 defines the standards and guidelines federal agencies must follow, and any company that manages ITAR regulated materials should use NIST SP 800-53 as a baseline for their own security standards.. Follow these basic principles to secure your ITAR data:

    • Discover and Classify Sensitive Data
      Locate and secure all sensitive data
      Classify data based on business policy
    • Map Data and Permissions
      Identify users, groups, folder and file permissions
      Determine who has access to what data
    • Manage Access Control
      Identify and deactivate stale users
      Manage user and group memberships
      Remove Global Access Groups
      Implement a least privilege model
    • Monitor Data, File Activity, and User Behavior
      Audit and report on file and event activity
      Monitor for insider threats, malware, misconfigurations and security breaches
      Detect security vulnerabilities and remediate

    ITAR Compliance FAQs

    1. How can Varonis help me find all of my ITAR data?
      The Data Classification Engine identifies and classifies regulated data on your core data stores – both on-premise and in the cloud. You can configure rules to identify ITAR data and even apply custom tags, flags, and notes to regulated data.
    2. Who can access this ITAR data?
      Varonis DatAdvantage crawls your file systems to analyze permissions to all of your data, including the ITAR data. Understanding who can access this data is step one to protecting the data from illegal access. With DatAdvantage, you can see this information graphically in a clean, user-friendly UI, or as an exportable report.
    3. How will I know if my ITAR data is accessed?
      Varonis DatAlert monitors and trigger alerts when data is accessed, including a folder of your ITAR data. You can detect, flag, and investigate any suspicious behavior or unusual activity on your ITAR data, and maintain a complete audit trail to help meet ITAR regulations.
    4. How can I manage access to ITAR data?
      The Automation Engine automatically repairs and maintains file system permissions – keeping ITAR data locked down, and helping achieve a least privilege model. Varonis DataPrivilege helps streamline access governance, automatically enforce security policies, and demonstrate compliance to government auditors.

    Want to learn more about how to manage your ITAR data to meet compliance? Get a 1:1 demo with a security engineer to see how Varonis can help.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Free Data Risk Assessment

    Join 7,000+ organizations that traded data darkness for automated protection. Get started in minutes.